You are doing everything correctly. C# does not support indexed properties, so one should use the get_Names() method instead of the Names[] collection if using this language.

First of all, please try to enable TLS1.1 version explicitly if you are not doing it already. Some servers only support extensions if negotiating a TLS1.1 or TLS1.2 version. If enabling TLS1.1 doesn't help, please try enabling TLS1.2 as well.

Next, the server might be sensitive to the presence of subdomains in the host name. If the host name you are assigning to the name.Name property contains a subdomain (typically, 'www.'), please try to remove it from the host name and check if anything changes. And the other way round, if you are NOT passing subdomain name at the moment, please try passing it.

Yes we use SNI with android accessing the server successfully. The sniffer says its TLS 1.0 (but could by the organization proxy between too).

But anyway.. I can't set the version because i get this exception:

{SBSSLCommon.EElSecureClientError: Cannot support SSL 3.0 and TLS 1.1 and not support TLS 1.0
at SBSSLClient.TElSSLClient.SSLNegotiate(Boolean Value)
at SBSSLClient.TElSSLClient.Open()
at SBSimpleSSL.TElCustomSimpleSSLClient.Open()
at Services.CertValidationService.SslConnect()}

Also you need to notice, that the server can send more than one certificate and OnCertificateValidate is triggered for each certificate one by one. And it's possible that some CA certificate is sent before the end-entity certificate.

So you need to check all received certificates rather than abort the check on the first one.